and Kmart also being hit here in Australia. We’ve also seen
another peculiar trend emerge from the backrooms of security
research companies, where new vulnerabilities are marketed
with a sexy name, well-designed websites and sensationalist
commentary to make them newsworthy. If the security team
is not focusing on these two areas, then they aren’t doing their
job right, while all the other threats fall by the wayside. But
this approach is wrong. Managing security outcomes aligned
with this kind of media sensationalism will only serve to
protect one aspect of your castle, so you’ll have all your troops
at the front gate, not realising your tunnels are unprotected
and your streets are full of spies.
The Internal Malady
Security is a process and needs to be tackled in a methodical
and sequential manner, where you start with a threat
assessment, then conduct a full audit of your assets, classifying
the assets against a scheme of labelling that allows you to a)
determine the impact of loss of confidentiality, integrity or
availability, and hence b) the risk to the organisation of this
impact being realised.
Your threat assessment will undoubtedly categorise a
variety of threat actors, along with their attributes, such as
likelihood of them attacking you, as well as their means,
motive and intent. One such group is this insider threat actor
category, which can be further decomposed into the following
subgroups:
• Current employee with standard system access rights
• Current employee with elevated system access rights
• Current subcontractor or partner with standard system
access rights
• Current subcontractor or partner with elevated system
access rights

employee is a ‘plant’ and has been untrustworthy from the
beginning. The majority of actions an insider will take are
keenly planned and will attempt to cover their tracks as they
go. Furthermore, no matter what the external influence is,
something will have affected the internal threat actor to make
them act: mounting up a gambling debt, an extra-marital
affair or being addicted to illicit drugs. Once an external
threat actor has leverage over a member of your staff, then
they can be coerced into attacking you.
The vulnerabilities that affect insiders are wide and
varied. In some cases, it may simply be due because they have
become disillusionment with the company or policy of your
government. Edward Snowden, for example, has publically
stated that he no longer believed in the U.S. government or
trusted the motives behind their national security programs.
He felt that their actions and leaders needed to be held to
account under public scrutiny, which led to the massively
damaging leak of highly sensitive data. It could be that your
rogue insider wants to exact revenge on his boss, or the
whole organisation, believing they have been overlooked for
promotion or discriminated against. The other category of
malicious insiders are those driven by personal or financial
gain, who are looking for something that the organisation
cannot or won’t give them, especially where they have a
personal vulnerability, such as gambling debts or a drug habit.
The point is, there is no typical profile for what an insider
might look like or act like, which is the primary reason they
are such a difficult threat to detect and a complicated one to
deal with.

When you then consider the three
elements of mean, motive and intent,

When you then consider the three elements of mean, motive
and intent, you start to build a fairly comprehensive picture of
what could happen if any of these threat actors were present
in your business and had the associated rights to access
information assets.

you start to build a fairly comprehensive

Who are these Insiders?

business and had the associated rights to

Reports of external actors recruiting members of staff to act
against their own organisation are common, originating from
foreign governments, competitors and organised criminal
gangs, all with something to gain. In 2011, the results of
a survey conducted by the U.S. Secret Service, the CERT
Insider Threat Centre, CSO Magazine and Deloitte , showed
that the most common crimes perpetrated by malicious
insiders were:
• Unauthorised access to or use of corporate information
• Unintentional exposure of private or sensitive data
• Viruses, worms, or other malicious code
• Theft of intellectual property (IP)

access information assets.

History has shown us that few insider threats are acts of
impulsive opportunity. Mostly, the crime is premeditated and
the motive has come from a change of circumstance – unless
it’s part of a longer strategy by an external actor, where the

picture of what could happen if any of
these threat actors were present in your

Innocent Mistakes
The one area of major concern that you can deal with
relatively easily is that of innocent mistakes. If you have not
trained staff on how they should behave and ensured they
all know what they are doing, how they should act, and how
they should interact with your systems, then there is little
you can do if they do something wrong. A comprehensive
security awareness program, with training, exercises, and
regular communications campaigns, will ensure your security
messages get heard. Review your induction program to
make sure staff know what to do on the very first day of
their employment, so that there can be no doubt of what is
acceptable and what isn’t.